b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43fa

General

Target

b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe
Size

2.0MB
MD5

adc73376517bca5de504eaaafb438530
SHA1

28a2635125d80b9739ed8d35658cf089ab5f6b30
SHA256

b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43fa
SHA512

c243c25aad8417132aecad0277d371f1b8e19dcb5b90dbd3fde8a415697fca9f97e75812bd6dc83fa0d1e764fa0dbd0389201aea0f3237356e9edbdff271ec93
SSDEEP

49152:OFUcx88PWPOpX0SFmDCuF6RkEDob+/DWuizp5ToFQqAyfyGc:O+K88uPCHkD5F6R9obeCuc7caqAWyGc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	4135.tmp

Loads dropped DLL 1 IoCs

pid	Process
2248	b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4135.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2680	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2720	4135.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2720	2248	b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe	30
PID 2248 wrote to memory of 2720	2248	b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe	30
PID 2248 wrote to memory of 2720	2248	b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe	30
PID 2248 wrote to memory of 2720	2248	b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe	30
PID 2720 wrote to memory of 2680	2720	4135.tmp	31
PID 2720 wrote to memory of 2680	2720	4135.tmp	31
PID 2720 wrote to memory of 2680	2720	4135.tmp	31
PID 2720 wrote to memory of 2680	2720	4135.tmp	31

C:\Users\Admin\AppData\Local\Temp\b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe
"C:\Users\Admin\AppData\Local\Temp\b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\4135.tmp
  "C:\Users\Admin\AppData\Local\Temp\4135.tmp" --splashC:\Users\Admin\AppData\Local\Temp\b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.exe A0604EFA33F97BCA9D7188B28961BCB8E5AB3B6801798CF1B0B4631FC35927BD3D2FB621F5D7CD618013C3FD9414BDBC57304F2FD155E05D2B74E9CCB5D38CB5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.docx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b4b1374c542b939bc413963d924437a12db022ad5f77c51cec52290fcd6a43faN.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
\Users\Admin\AppData\Local\Temp\4135.tmp

Filesize
2.0MB

MD5
f476e7b2fc2e5721de36c6853718fdbe

SHA1
096436292c888040b9e26cc2ed681a08fbd68d74

SHA256
50fdaba601567d4fc6dfd6bab59c14b5111d1aad2e4ff0059daeda42cffe1e41

SHA512
8f650a026083aa6b70fd94b7d37c2e01cfa2d5d480b1900fcd34d7457d817f41b87c781154611b1bc8445abc48d21bd7ab603cc18b6ae9682ad631108ce389d5

Download Submit
memory/2248-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2680-9-0x000000002FC91000-0x000000002FC92000-memory.dmp

Filesize
4KB

Download
memory/2680-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2680-11-0x0000000073D6D000-0x0000000073D78000-memory.dmp

Filesize
44KB

Download
memory/2680-14-0x0000000073D6D000-0x0000000073D78000-memory.dmp

Filesize
44KB

Download
memory/2720-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing